Teardown: WannaCry RansomwareInvestigators Hunt 'Patient Zero' as SMB Worm Continues to Propagate
The WannaCry ransomware outbreak that began Friday is being billed as one of the most severe cybersecurity episodes the world has ever seen. So far, the ransomware has infected about 216,000 endpoints in over 150 countries.
What's involved? Here's a teardown of the WannaCry - aka WannaCrypt, WanaCrypt0r, WCrypt, WCry - ransomware and the investigation.
What do the attackers want?
Infected endpoints display a ransom note demanding between $300 and $600 in bitcoins and warning that the price will double in 72 hours and that data will be left unrecoverable after seven days. So attackers are apparently seeking money.
Alternate theory: This is a psychological operation designed to cause maximum chaos, perhaps tied to North Korean missile tests and an unpredictable White House administration.
How does WannaCry spread?
WannaCry is packaged with a worm designed to target a server messaging block flaw in Windows. Once it infects an endpoint, the attack code can propagate to other network-connected devices. The ransomware does not appear to spread via email or phishing attacks, British security researcher Kevin Beaumont says.
For those confused about HOW WannaCry spreads: SMB. It's a worm. VPN links, MPLS, vendor remote access, partner networks, roaming laptops.— Kevin Beaumont (@GossiTheDog) May 16, 2017
Which countries have been hardest hit by WannaCry?
Security firm Avast says in a blog post that based on its telemetry data, these are the top 10 most-hit countries, in order: Russia, Ukraine, Taiwan, India, Brazil, Thailand, Romania, Philippines, Armenia and Pakistan.
Avast says that more than half of all attack attempts were against targets in Russia. Other security firms have independently corroborated that Russia was the top target, although it's not clear if that's by design.
Related attacks appear to still be propagating. On Wednesday, for example, Helsinki-based security firm F-Secure reported a rise in infections in Indonesia.
We're seeing a significant uptick in #WannaCry detections (on our back end telemetry) from Indonesia. Started 5 to 6 hours ago.— News from the Lab (@FSLabs) May 17, 2017
How can organizations and individuals protect themselves?
Computer emergency response teams have issued detailed guidance. In general, ensure that all Microsoft operating systems are running the latest patches - anything set to receive automatic Windows updates will already be protected. Users of outdated Windows operating systems - XP, 2003, 8 - should install emergency patches released Friday. Also block SMB_v1, which primarily communicates via TCP port 445. If that's not possible, shut down vulnerable systems and remove them from an electrical supply until they can be fixed.
What's with the "kill switch"?
After the WannaCry outbreak began, British security researcher known as MalwareTech registered a nonsensical domain name that he found in the WannaCry code.
Security experts believe the ransomware, in an effort to fool sandboxing - a tool used by security researchers to reverse-engineer malware - ran a lookup for a nonsensical domain name that didn't exist. If it received an error message, the ransomware assumed that it had a legitimate connection to the internet. If the ransomware didn't receive an error message, it assumed that it was in a sandbox, and killed itself before trying to encrypt any files.
By registering the domain name, MalwareTech accidentally but fortuitously made this assumption work against the ransomware.
In short: Score one for the good guys.
How did these attacks begin?
That remains unknown. Investigators are no doubt still hunting for "patient zero" to identify how the attacks were first launched and to potentially trace them back to a source.
"If I were law enforcement, I would be working to find who was the very first company impacted," Becky Pinkard, a vice president at cybersecurity firm Digital Shadows, tells the Wall Street Journal. "I would knock at the door and be asking, 'Can I look at your logs?'"
When was WannaCry built?
Security firms have offered the following timeline:
- WannaCry beta version: Feb. 9
- WannaCry version 1: March 28
- WannaCry version 2: Late April
Version 2 of WannaCry was subsequently bundled with the SMB-targeting worm and first appeared Friday, May 12, security firms report.
Has Microsoft patched the flaw targeted by the WannaCry SMB-targeting worm?
Yes. The flaw - MS17-010 - existed in all versions of Windows since XP and came to light in April, via a dump of "Equation Group" tools released by the Shadow Brokers. Microsoft quietly patched the SMB flaw in all supported operating systems in March.
Late Friday, however, Microsoft released free, emergency patches for Windows XP, Windows Server 2003 and Windows 8 users. Prior to that, the patches had only been available for customers who paid for pricey extended-support contracts for the operating systems, for which Microsoft has ceased providing mainstream support. Some security experts have lauded Microsoft for releasing the patches for free, while others have criticized it for no longer supporting older operating systems, including Windows XP, which was first released in 2001 and still accounts for 7 percent of all desktop operating systems, according to market researcher NetMarketShare.
How should victims respond?
The longstanding advice for combating ransomware is to prepare by maintaining up-to-date offline backups. "The best solution, if your PC is infected, is to recover your files from a backup, if available," Avast says. "You should do this on a clean machine, with all patches applied and for maximum security; you should do this offline to minimize the risk of encrypting the backup storage as well."
Is it worth paying the ransom?
Law enforcement agencies recommend that ransomware victims never pay ransoms because that directly funds cybercrime research and development. In some cases, victims who pay will face repeated shakedowns from attackers, demanding ever-increasing amounts of money in exchange for a promised decryption key. In at least some cases, despite paying a ransom, victims never receive a decryption key.
How many victims have paid the WannaCry ransom?
As of 9 a.m. U.S. Eastern Time Wednesday, the three bitcoin addresses hardcoded into the ransomware have received about 287 payments, totaling 44 bitcoins worth about $80,000. (May 18 update: as of 11 a.m. ET, 298 victims paid 46 bitcoins worth $85,000.)
Have victims received a decryption key in return?
The phrase "there's no honor amongst thieves" wasn't born in a vacuum. But security expert Mikko Hypponen, chief research officer at F-Secure, says that some victims who paid the ransom have received a working decryption key.
We have confirmation that some of the 200+ #WannaCry victims who have paid the ransom have gotten their files back. Still, not recommended.— Mikko Hypponen (@mikko) May 15, 2017
To service decryption key payments, many ransomware gangs will create highly automated processes - allowing them to scale their attacks - sometimes backed by customer support centers, for example, to offer discounts in return for prompt payment, or to walk victims through the process of buying bitcoins.
But the WannaCry campaign includes no such processes. Instead, ransom requests must be handled manually.
So WannaCry wasn't built by cybercrime masterminds?
Servicing ransom requests manually suggests that those behind WannaCry are amateurs. Sean Sullivan, a security adviser at F-Secure, also notes that the ransom-payment system - to track which victims have paid - involves the Dropbox online storage service, which could leave attackers open to being traced.
"These guys are clearly using rudimentary stuff that beginners were doing several years ago," Sullivan tells the Wall Street Journal.
Any clues as to who built WannaCry?
Nothing definitive, but North Korea is a potential culprit. A version of WannaCry seen in February contains code that was used in a 2015 attack tied to Lazarus - a hacking group security experts say ties to North Korea.
"It would not surprise me if the NSA knows the origins of this malware attack," security expert Bruce Schneier, CTO of IBM Resilient, says in a blog post.
Tom Bossert, a U.S. Department of Homeland Security adviser, said Monday in a White House press briefing that investigations continue, but he warned that "attribution can be difficult."
Can't security experts simply crack the crypto used by the ransomware?
Initially, as is often the case with modern crypto-locking ransomware, efforts to forcibly decrypt WannaCry-encrypted files failed. "There's no free decryption tool available at the moment, and based on our analysis, the encryption used seems to be very strong - AES-128 combined with RSA-2048," Avast said early last week.
As of May 18, however, there was one exception. Security researchers say they have yet to see the WannaCry campaign target Windows XP users. But just in case, Adrien Guinet, a security researcher at Paris-based cybersecurity firm Quarkslab, has published to GitHub a WannaCry decryptor called WannaKey, for any potential Windows XP and Windows 7 victims. Guinet has been joined in related efforts by Dubai-based security expert Matthieu Suiche and Benjamin Delpy, outside of his day job at Banque de France.
Guinet says the crypto keys generated by the ransomware on XP can be cracked thanks to the operating system's use of a weak random-number generator.
As of May 19, furthermore, Suiche reports that a similar tool built by Benjamin Delpy, called WanaKiwi and also released to GitHub, appears to work - in many cases - "for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2."
In short, victims now have two potential tools - WannaKey and WanaKiwi - that they can use to decrypt their PCs. But there's a caveat: the tools only work if the affected systems have not been powered down or rebooted. Accordingly, security experts recommend leaving infected systems powered up, but disconnected from the internet or local area network, or else they will attempt to infect other PCs (see WannaCry Ransomware: Tools Decrypt for Free).
Are bitcoin payments made by victims to hackers traceable?
Many people believe using cryptocurrency infers anonymity on users. But that's not necessarily the case.
By 2014, researchers reported that 60 percent of all bitcoin transactions could be tied to a specific IP address, at least in lab tests. Alan Woodward, a computer science professor at the University of Surrey who's a cybersecurity adviser to Europol, says that in the real world, intelligence agencies such as the NSA and GCHQ, which have substantially more resources as well as mandates to track and stop terrorists, might have achieved much higher levels of success (see Tougher to Use Bitcoin for Crime?).
Such efforts focus not just on the blockchain - a public ledger of all bitcoin transactions - but also cross-reference other information, such as bank account transaction times and amounts. It's well-known that the NSA takes an interest in money transfers. A Shadow Brokers dump from April, for example, revealed that the NSA had hacked into at least one service bureau that handled SWIFT inter-bank communications for the Middle East. This would have allowed the intelligence agency to better "follow the money," even if cryptocurrency might have been involved.
So will the WannaCry ransomware gang ever get caught?
That may depend on whether the gang behind WannaCry attempts to convert its bitcoins into cash. Its use of Dropbox might also work against it.
The FBI and its British sister agency, the National Crime Agency, are among the law enforcement intelligence agencies that have said they're investigating the WannaCry outbreak. Given that Russia - and Russia's interior ministry - was also affected, it's a safe bet the gang is also being hunted by Russian intelligence.
May 18: Added details of new, free Windows XP WannaCry decryption tool, as well as the latest count of victims remitting bitcoins to attackers.
May 22: Updated to note that victims may be able to decrypt any affected Windows PC using free WannaKey and WanaKiwi tools.